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Self Test System 

This invention relates to a self-test process and apparatus that has inherent self- 
testing capabilities, for use with control system, in particular but not 
5 exclusively for use in vehicles . 

Electronic systems that are used in systems where a failure may have serious 
consequences need various fault monitoring systems to ensure such faults are 
detected and suitable corrective action taken. Many such fault monitoring 

10 systems are known (for example a comparator can be used to compare a supply 
voltage with a fixed reference voltage, generating an error whenever the supply 
voltage is under (or over) the reference). Given that failures are a rare event, it 
is possible for faults to develop in the fault monitoring systems before the 
faults they are designed to detect occur. If these faults go undetected, it is then 

15 ; possible that when a more serious fault occurs (one that the fault monitoring 
system was designed to detect) this will go undetected with serious 
consequences. 

Based on the foregoing there is clearly a need for a way of monitoring the 
20 fault-monitoring systems themselves. 

The invention will now be described, by way of example only, with reference 
to the accompanying drawings, in which like reference numerals refer to 
similar elements and in which: 
25 Figure 1 shows a functional diagram of components of an electronic system 
incorporating a first embodiment of a self-test system; and 
Figure 2 is a circuit diagram illustrating the an embodiment of the self-test 
system of Figure 1; 
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Figure 3 shows a functional diagram of components of an electronic system 
incorporating a second embodiment of a self-test system; and 
Figure 4 is a flow diagram illustrating the operation of the self-test system of 
Figure 3. 

5 

A method and apparatus for self-testing an electronic system is described. In 
the following description, for the purposes of explanation, numerous specific 
details are set forth to provide a thorough understanding of the present 
invention. It will be apparent to a person skilled in the art that the present 
10 invention may be practised without these specific details. In other instance, 
well-known structures and devices are shown in block diagram form to avoid 
unnecessarily obscuring the present invention. 

The needs identified above and other needs and objects that will become 
15 apparent from the following description are achieved in the present invention 
which comprises, in one aspect, an electronic system comprising a system to be 
monitored and a plurality of fault-monitoring systems. Each of the fault- 
monitoring systems is adapted to output a fault signal when an input indicates 
that the electronic system is in a fault condition associated with the fault- 
20 monitoring system. The fault-monitoring systems are arranged in a cascade 
fashion such that a fault signal output from one fault-monitoring system is 
provided as an input to a subsequent fault-monitoring system in the cascade of 
fault-monitoring systems to simulate a fault condition associated with the 
subsequent fault-monitoring system. The output of the final fault-monitoring 
25 system in the cascade gives an indication of whether there is a fault with any of 
the fault-monitoring systems. Alternatively the outputs of each of the 
individual fault-monitoring systems may be monitored to indicate whether 
there is a fault with any of the fault-monitoring systems. 
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In other aspects, the invention encompasses a method and a computer-readable 
medium for carrying out the foregoing steps. 

The electronic system to be described is part of the electronic system used in a 
5 vehicle such as a car but the method is applicable to other electronic systems 
which include fault-monitoring systems. 

Figure 1 shows an embodiment of a self-testing fault monitoring system. The 
electronic system incorporates the system to be monitored 2 (which will 

10 typically contain a microprocessor), a first fault detection device 4 (which may 
for example take the form of a watchdog for the processor) and a second (and 
in this case final) fault detection device 6 (which may for example take the 
form of a voltage level detector, monitoring the power rails of the processor). 
A system 8 provides the required action on detection of a fault (for example to 

1 5 switch off the system 2) and non- volatile memory 1 0 allows storage of a record 
of the success or failure of the self testing process. 

In either of the above fault detection situations, the fault action system 8 is 
activated either directly, via fault-monitoring system 6, or indirectly, by fault- 
20 monitoring system 4 simulating a fault in monitor 6 which then causes the 
action. 

The fault-monitoring systems 4, 6 are designed to monitor for fault conditions. 
However the electronic system in which these components are implemented 
25 has no way of knowing whether the fault condition detectors are operating 
properly or not. The embodiment shown in the figures allows an electronic 
system to monitor the fault-monitoring systems. Preferably, a self-test is 
carried out each time the system is shut down. 
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Thus when the electronic system is to be shut down, the system 2 being 
monitored changes its function so as to cause fault detector 4 to detect a fault. 
If the fault detector circuit 4 is operating properly, then it will generate an 
output which will cause fault detector 6 to see a fault. A record of this event is 

5 stored in the non-volatile memory 10, as well as causing the fault response 
activator 8 to carry out a response to a fault condition (typically to shut down 
the system 2). When the system 2 next receives a signal to start up, it checks 
for the record in the non-volatile memory. If, on start up, such a record is not 
in the non- volatile memory then the system 2 registers that the fault-monitoring 

10 systems did not function correctly and therefore one of the fault-monitoring 
systems 4,6 is faulty. The system then takes the appropriate action e.g. shutting 
itself down after generating an appropriate fault message. If the system 2 
determines that the test of the fault detectors was successful, then the record in 
the non- volatile memory is cleared, ready for the next self-test. 

15 

In a further aspect of the invention a partial self-test is also carried out on start 
up. On switch on, the supply voltage V sup p ramps up to the required level. 
Therefore a self-test of an under-voltage detector (e.g. fault-monitoring system 
6) may also be carried out on start up to test whether the under-voltage detector 

20 6 is correctly detecting an under-voltage situation. Thus, on starting operation 
of the system, a start-up monitor 12 can check that the under voltage fault- 
monitoring system 6 initially detects a fault (when the supply voltage is low) 
and then detects no fault (when the supply in within specification). This fault- 
monitoring system can inform the electronic system being monitored 2 of its 

25 result, and/or active the fault-response activator 8, and/or store a record in the 
non- volatile memory 10. 

Figure 2 shows an embodiment of the fault detection system, comprising 
under- and over- voltage detectors for two power supply lines (5V and 2.6V). 
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The actual detection of under/over voltage is performed by the 4 comparators 
(30, 32, 34, 36). A signal A indicates an input to the first fault-monitoring 
device comprising comparators 30, 32. Transistor Tl allows the system to 
induce a fault into the first comparator 30 which via T2 induces a fault in the 

5 second comparator 32. The fault signal B output from the comparator 32 then 
induces a fault in the next fault-monitoring device comprising comparators 34, 
36. Thus fault signal B output from the comparator 32 induces a fault in the 
next comparator 34 via Dl and in turn comparator 34 induces a fault in the last 
comparator 36 via D2. The fault signal C output from the second fault- 

10 monitoring system (comprising comparators 34, 36) is then used to trigger the 
fault response activator 8. 

In an implementation as shown in this first embodiment described with 
reference to Figures 1 and 2, there are two fault-monitoring devices: at the 
15 beginning of the cascade of fault-monitoring devices there is a watchdog 
system 4 (or similar) connected to a microprocessor, while at the far end of the 
cascade a fault output signal from the second fault monitoring system 6 turns 
the system off (or resets the microprocessor). 

20 In a further development, when the electronic system is placed into a fault 
condition for which the first fault-monitoring device is monitoring, a flag or 
value (e.g. 1) is stored in the non- volatile memory 10. If the microprocessor of 
the electronic system 2 is still running after a given period of time (i.e. the 
microprocessor has not shut down), then the cascade is triggered. The 

25 processor then writes a different value (e.g. 2) to the non-volatile memory 10 
and switches off. On start up, by examining the non-volatile memory, the 
reason for the stop can be found. The value should be erased after reading so 
that a real fault can be distinguished from a "test" fault. 
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Although Figures 1 and 2 show embodiments in which only two fault 
monitoring systems (4 and 6) are provided, it will be apparent that there further 
fault-monitoring systems may be provided. In this case, the output of a first 
5 fault-monitoring system may be provided as the input to a second, the output of 
the second may be input to a third, and so on. 

Figure 3 shows a second embodiment of a self test system. The electronic 
system incorporates a system to be monitored 2 (typically including at least one 
10 processor), a first fault-monitoring device in the form of a voltage level 
detector 4 and a second fault-monitoring device in the form of a watchdog 
circuit 6. A second processor 8 may also be provided to monitor the operation 
of the first processor 2. Non-volatile memory 10 may be provided to store fault 
history records. 

15 

The voltage level detector 4 includes an op-amp, a first (non-inverting) input of 
which is connected to the supply voltage V SU pp and the second, inverting, input 
of which is connected to a reference voltage V ref . In use, the supply voltage of 
the electronic system is likely to change. For instance, when the electronic 

20 system is powered up, the voltage will increase from nominally 0V to a voltage 
in the region of that required by the electronic system e.g. 3 V. During this 
ramp-up stage, the voltage may overshoot the required supply voltage. This 
results in a so-called over-voltage situation. As this over-voltage may result 
from some fault with the power supply of the electronic system, this is deemed 

25 to be a fault situation. 



When the magnitude of the supply voltage is greater than the magnitude of the 
reference voltage, the op-amp produces an output signal and hence the voltage 
level detector 4 outputs a fault signal. 
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The watchdog circuit 6 receives as an input a signal from the processor 2 to 
indicate that the processor is operating correctly. In normal conditions, the 
signal is output from the processor 2 in a periodic manner. If the watchdog 
5 circuit does not receive the signal when it is expecting a signal, the processor is 
determined to be in an abnormal state and the watchdog circuit 6 outputs a fault 
signal in the form of a reset signal. 

In either of these fault detection situations, the processor is reset i.e. the 
10 operation of the processor is stopped and re-started. 

The level detector 4 and the watchdog circuit 6 are designed to monitor for 
fault conditions. However the electronic system in which these components are 
implemented has no way of knowing whether the fault condition detectors are 
15 operating properly or not. Thus, a self-test is carried out each time the 
microprocessor is shut down, either because of a reset or because the associated 
system has been turned off. 

Thus, according to a first aspect, when the electronic system is to be shut down, 
20 the processor monitors for the detection of an over voltage condition. If the 
level detector circuit 4 is operating properly, then the level detector circuit 4 
should output an over voltage reset signal on shut down. Thus, when the 
system, in particular the processor of the electronic system, is shut down, the 
processor monitors for an over voltage signal at the output from the level 
25 detector 4. When an over voltage current occurs on stopping of the operation 
of the processor 2, a record to this effect is stored in non-volatile memory 10. 
When the processor 2 next receives a signal to start up, the processor looks for 
the record in the non-volatile memory. If, on start up, such a record is not in 
the non-volatile memory then the processor 2 registers that the over voltage 
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monitoring circuit 4 has not detected the over voltage situation on shut down 
and that therefore the over voltage detection device 4 is faulty. The processor 
then takes the appropriate action e.g. shutting itself down after generating an 
appropriate fault message. The record in the non-volatile memory is preferably 
5 cleared when this fault message is generated. 

An additional or alternative self test may be carried out. This relates to the self 
testing of the watchdog circuit 6. This self test is done automatically on shut 
down of the processor 2. When a signal is sent to the processor to cease 
10 operation, the processor in response ceases sending the periodic signal to the 
watchdog circuit 6. The watchdog circuit 6 then detects that it is not receiving 
the usual periodic signals from the microprocessor 2 and thus generates a reset 
signal. This is received by the processor 2 and a record of this reset signal is 
stored in the non-volatile memory 10. The processor 2 then shuts down. 

15 

On subsequent commencement of operation of the processor 2, the processor 
carries out a check to see if the non-volatile memory 10 includes a record of the 
reset signal generated by the watchdog device 6. When the non-volatile 
memory does not include such a record, a fault message is then generated and 
20 the processor shut down. 

Preferably a self test is carried out on shut-down for both the level detector 4 
and the watchdog circuit 6. The watchdog self-test may be carried out first, by 
ceasing the periodic signal from the processor 2 to the watchdog circuit 6, and 
25 monitoring for a fault signal from the watchdog circuit. This may then be 
followed by the level detector self-test. 

A self-test may also be carried out on start up. As explained above, the supply 
voltage V supp ramps up to the required level on start up. Therefore a self-test of 
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the level detector 4 is also carried out on start up to test that the level detector 4 
is correctly monitoring an under-voltage situation. Thus on starting operation 
of the processor, the self-test routing monitors for the generation of a fault 
signal from the level detector 4. On generation of a fault signal from the fault- 

5 monitoring device on starting of the operation of the processor, a record to this 
effect is stored in the non-volatile memory 10. On subsequent receipt of a 
message to stop operation of the processor, the processor checks whether the 
non- volatile memory 10 includes a record of a fault signal and when the non- 
volatile memory does not include a record of such a fault signal, an alarm 

10 signal is generated. 

Figure 4 is a flow diagram showing the operation of the self test program. This 
routine is run on start up or shut down (e.g. when the ignition of a vehicle is 
started or on or after a reset or any other reason). In the first step (401) the 

15 processor receives a command to enter a fault condition for a first fault- 
monitoring system e.g. to switch off the processor 2. This may be due to a 
reset from the watch dog application or the voltage detector (or another fault 
detection device). The processor then enters the fault condition (402) e.g. the 
processor initiates cessation of operation, which is intended to generate a fault 

20 condition. 

The system then runs the self test routine as discussed above i.e. monitors (403) 
to see whether the watch dog application outputs a fault flag and/or whether the 
voltage detector outputs the fault flag. If a fault signal is output from the fault- 
25 monitoring device, then a record of the fault signal is stored (404) in non- 
volatile memory. In either case, the processor then shuts down all operations 
(405). 
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On subsequent reversion (406) of the system into a non-fault condition e.g. 
start-up of the processor (406) (either as a result of a reset signal or because the 
system is powered up by a user), the processor checks (407) whether a record is 
stored in the non-volatile memory for the self-test that was carried out on shut- 

5 down. If no such record is present in the non-volatile memory, then an alarm 
signal is generated (408). This alarm signal or message indicates that the 
associated fault detection component is not operating properly. In response, 
the processor would usually shut down until the fault is cleared. However if 
the non-volatile memory does include a record for the associated fault detection 

10 component, the electronic system can continue to operate as normal (409). 

If an under-voltage self-test is also to be carried out, the processor may, before 
step 409, check for the e?dstence of a record indicating that the level detector 4 
detected an under-voltage situation on the previous start-up of the processor. If 

15 no such record is detected, an alarm signal may be generated (408). 
Alternatively the processor may run another sub-routine after step.409 in which 
the processor shuts itself down and starts itself up again to run the under- 
voltage routine. This additional stop/start routine will result in a small delay in 
starting of the processor for normal operation but is unlikely to be noticeable to 

20 a user. 

The invention thus aims to reduce the risk of a fault in a fault-monitoring 
system from going undetected by testing the fault monitoring systems. 
Preferably the fault monitoring systems are tested every time the monitored 
25 system is shutdown and restarted (e.g. in the case of a vehicle such as a car this 
will happen before and after every journey). 

In the foregoing specification, the invention has been described with reference 
to specific embodiments thereof. It will however be evident that various 
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modifications and changes may be made thereto without departing from the 
broader spirit and scope of the invention. The description and drawings are, 
accordingly, to be regarded in an illustrative rather than a restrictive sense. 



